From owner-freebsd-security Wed Oct 4 10:14:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id B085637B66C for ; Wed, 4 Oct 2000 10:14:52 -0700 (PDT) Received: (qmail 89756 invoked by uid 1000); 4 Oct 2000 17:16:02 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 4 Oct 2000 17:16:02 -0000 Date: Wed, 4 Oct 2000 12:16:02 -0500 (CDT) From: Mike Silbersack To: security@freebsd.org Subject: Re: OpenBSD Security Advisory (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Are we patched? Mike "Silby" Silbersack ---------- Forwarded message ---------- Date: Wed, 4 Oct 2000 00:31:03 -0700 From: K2 To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: OpenBSD Security Advisory Hi, Here is another exploit for an application (fstat) that OpenBSD's format string audit has seemingly forgotten about. What I would like to know is why this and a number of other privileged applications have security vulnerabilities in them. They WERE fixed, but NO ADVISORY nor ANY MENTION IN THEIR DAILY CHANGLOG! How can the impact of the vulnerability not be realized when they occur in something as privileged as that would be using pw_error()? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message